From 56508a23f25c3d324a82f7afcaa6f630bb423778 Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Mon, 22 Aug 2016 12:38:46 +0200 Subject: [PATCH] Change UI and policy setup to use privilege groups instead of privileges Concept of privilege groups was added to privilege-checker module. Change-Id: I15c599372156ceb130f62248f7e12985d4521557 --- packaging/askuser.spec | 1 + src/agent/CMakeLists.txt | 1 + src/agent/notification-daemon/AskUserTalker.cpp | 65 +++++++++++++++++++------ src/agent/notification-daemon/GuiRunner.cpp | 12 ++--- src/agent/notification-daemon/po/en.po | 2 +- src/agent/notification-daemon/po/pl.po | 2 +- 6 files changed, 59 insertions(+), 24 deletions(-) diff --git a/packaging/askuser.spec b/packaging/askuser.spec index e972fdf..69284c4 100644 --- a/packaging/askuser.spec +++ b/packaging/askuser.spec @@ -21,6 +21,7 @@ BuildRequires: pkgconfig(libsystemd-daemon) BuildRequires: pkgconfig(libsystemd-journal) BuildRequires: pkgconfig(security-manager) BuildRequires: pkgconfig(security-privilege-manager) +BuildRequires: pkgconfig(glib-2.0) BuildRequires: coregl %{?systemd_requires} diff --git a/src/agent/CMakeLists.txt b/src/agent/CMakeLists.txt index 51321bc..85cbdd9 100644 --- a/src/agent/CMakeLists.txt +++ b/src/agent/CMakeLists.txt @@ -23,6 +23,7 @@ PKG_CHECK_MODULES(AGENT_DEP cynara-creds-socket libsystemd-daemon security-privilege-manager + glib-2.0 ) SET(ASKUSER_AGENT_PATH ${ASKUSER_PATH}/agent) diff --git a/src/agent/notification-daemon/AskUserTalker.cpp b/src/agent/notification-daemon/AskUserTalker.cpp index e3369ed..3823bc6 100644 --- a/src/agent/notification-daemon/AskUserTalker.cpp +++ b/src/agent/notification-daemon/AskUserTalker.cpp @@ -36,6 +36,8 @@ #include #include +#include +#include namespace AskUser { @@ -60,33 +62,67 @@ void setSecurityLevel(const std::string &app, const std::string &perm, const std { int ret; - policy_update_req *policyUpdateRequest = nullptr; - policy_entry *policyEntry = nullptr; - try { if (level != "Allow" && level != "Deny") throw std::invalid_argument("Not allowed security level <" + level + ">"); ALOGD("SecurityManager: Setting security level to " << level); + policy_update_req *policyUpdateRequest = nullptr; + ret = security_manager_policy_update_req_new(&policyUpdateRequest); throwOnSecurityPrivilegeError("security_manager_policy_update_req_new", ret); - ret = security_manager_policy_entry_new(&policyEntry); - throwOnSecurityPrivilegeError("security_manager_policy_entry_new", ret); + std::unique_ptr + policyUpdateRequestPtr(policyUpdateRequest, security_manager_policy_update_req_free); + + char* privacy_name = nullptr; + + ret = privilege_info_get_privacy_by_privilege(perm.c_str(), &privacy_name); + if (ret != PRVMGR_ERR_NONE || !privacy_name) { + ALOGE("Unable to get privacy group for privilege: <" << perm << ">, err: <" << ret << ">"); + throw Exception("Can't get privacy group name for privilege " + perm); + } + + GList *privilege_list = nullptr; - ret = security_manager_policy_entry_set_application(policyEntry, + ret = privilege_info_get_privilege_list_by_privacy(privacy_name, &privilege_list); + free(privacy_name); // not needed anymore below this place + + if (ret != PRVMGR_ERR_NONE || !privilege_list) { + ALOGE("Unable to get privacy group list of privileges; err: <" << ret << ">" ); + throw Exception("Unable to get privacy list of privielges"); + } + + auto list_deleter = [](GList* l) { g_list_free_full(l, free); }; + std::unique_ptr privilge_listPtr(privilege_list, list_deleter); + std::vector> policyEntries; + + for (GList *l = privilege_list; l != NULL; l = l->next) { + char *privilege_name = static_cast(l->data); + policy_entry *policyEntry = nullptr; + + ret = security_manager_policy_entry_new(&policyEntry); + throwOnSecurityPrivilegeError("security_manager_policy_entry_new", ret); + + policyEntries.push_back(std::unique_ptr(policyEntry, security_manager_policy_entry_free)); + + ret = security_manager_policy_entry_set_application(policyEntry, dropPrefix(app.c_str())); - throwOnSecurityPrivilegeError("security_manager_policy_entry_set_application", ret); + throwOnSecurityPrivilegeError("security_manager_policy_entry_set_application", ret); - ret = security_manager_policy_entry_set_privilege(policyEntry, perm.c_str()); - throwOnSecurityPrivilegeError("security_manager_policy_entry_set_privilege", ret); + ret = security_manager_policy_entry_set_privilege(policyEntry, privilege_name); + throwOnSecurityPrivilegeError("security_manager_policy_entry_set_privilege", ret); - ret = security_manager_policy_entry_set_level(policyEntry, level.c_str()); - throwOnSecurityPrivilegeError("security_manager_policy_entry_admin_set_level", ret); + ret = security_manager_policy_entry_set_level(policyEntry, level.c_str()); + throwOnSecurityPrivilegeError("security_manager_policy_entry_admin_set_level", ret); - ret = security_manager_policy_update_req_add_entry(policyUpdateRequest, policyEntry); - throwOnSecurityPrivilegeError("security_manager_policy_update_req_add_entry", ret); + ret = security_manager_policy_update_req_add_entry(policyUpdateRequest, policyEntry); + throwOnSecurityPrivilegeError("security_manager_policy_update_req_add_entry", ret); + } ret = security_manager_policy_update_send(policyUpdateRequest); throwOnSecurityPrivilegeError("security_manager_policy_update_send", ret); @@ -95,9 +131,6 @@ void setSecurityLevel(const std::string &app, const std::string &perm, const std } catch (std::exception &e) { ALOGE("SecurityManager: Failed <" << e.what() << ">"); } - - security_manager_policy_entry_free(policyEntry); - security_manager_policy_update_req_free(policyUpdateRequest); } } /* namespace */ diff --git a/src/agent/notification-daemon/GuiRunner.cpp b/src/agent/notification-daemon/GuiRunner.cpp index 3ef37f2..f8b9cee 100644 --- a/src/agent/notification-daemon/GuiRunner.cpp +++ b/src/agent/notification-daemon/GuiRunner.cpp @@ -95,14 +95,14 @@ Eina_Bool timeout_answer(void *data) { std::string friendlyPrivilegeName(const std::string &privilege) { - char *name = nullptr; - int res = privilege_info_get_privilege_display_name(privilege.c_str(), &name); - if (res != PRVMGR_ERR_NONE || !name) { - ALOGE("Unable to get privilege display name for: <" << privilege << ">, err: <" << res << ">"); + char *privacy_display_name = nullptr; + int res = privilege_info_get_privilege_group_display_name(privilege.c_str(), &privacy_display_name); + if (res != PRVMGR_ERR_NONE || !privacy_display_name) { + ALOGE("Unable to get privilege group display name for: <" << privilege << ">, err: <" << res << ">"); return privilege; } - std::string ret(name); - free(name); + std::unique_ptr antiMemLeak(privacy_display_name, free); + std::string ret(privacy_display_name); return ret; } diff --git a/src/agent/notification-daemon/po/en.po b/src/agent/notification-daemon/po/en.po index 4d79bf5..20b1877 100644 --- a/src/agent/notification-daemon/po/en.po +++ b/src/agent/notification-daemon/po/en.po @@ -11,4 +11,4 @@ msgid "SID_PRIVILEGE_REQUEST_DIALOG_BUTTON_ALLOW" msgstr "Always" msgid "SID_PRIVILEGE_REQUEST_DIALOG_MESSAGE" -msgstr "Application %s requested privilege for %s." +msgstr "Application %s requested access to %s." diff --git a/src/agent/notification-daemon/po/pl.po b/src/agent/notification-daemon/po/pl.po index 84ebb1e..053eb94 100644 --- a/src/agent/notification-daemon/po/pl.po +++ b/src/agent/notification-daemon/po/pl.po @@ -11,4 +11,4 @@ msgid "SID_PRIVILEGE_REQUEST_DIALOG_BUTTON_ALLOW" msgstr "Zawsze" msgid "SID_PRIVILEGE_REQUEST_DIALOG_MESSAGE" -msgstr "Aplikacja %s zażądała przywileju do %s." +msgstr "Aplikacja %s prosi o dostęp do zasobu %s." -- 2.7.4